-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add seccomp validation tests #135
Add seccomp validation tests #135
Conversation
5567c9e
to
a3e5a1a
Compare
CI failed because dockerd installed doesn't support seccomp: seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile. |
1ba74a9
to
bc15b03
Compare
bc15b03
to
a8bf593
Compare
a8bf593
to
253de44
Compare
sudo apt-get -y install "docker-engine=17.03.1~ce-0~ubuntu-$(lsb_release -cs)" | ||
|
||
# docker debs don't support seccomp, so we install a static version instead. | ||
curl -sSL -o docker.tgz https://download.docker.com/linux/static/stable/x86_64/docker-17.03.1-ce.tgz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool! :) Ref moby/moby#22870
sudo sh -c 'echo "deb https://apt.dockerproject.org/repo ubuntu-$(lsb_release -cs) main" > /etc/apt/sources.list.d/docker.list' | ||
curl -fsSL https://apt.dockerproject.org/gpg | sudo apt-key add - | ||
sudo apt-key fingerprint 58118E89F3A912897C070ADBF76221572C52609D | ||
sudo apt-get update | ||
sudo apt-get -y install "docker-engine=1.13.1-0~ubuntu-$(lsb_release -cs)" | ||
sudo apt-get -y install "docker-engine=17.03.1~ce-0~ubuntu-$(lsb_release -cs)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we still need this given that we are using static version now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is for manage docker service, e.g. we could restart docker with service docker restart
command. Or else, we need to manage service by ourself, e.g. if docker is started in first stage, we need to kill dockerd and start again in second stage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another question is that why do we use docker 17.03? There is no available 1.13 static binary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep, didn't found 1.13 static binary. 17.03 is the oldest one and also will be supported in kuberentes 1.8.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@feiskyer I don't think 17.03
is supported in Kubernetes 1.8, but yeah I also checked, 17.03 is the oldest one.
I'm fine with testing it for now. We'll be setting up CRI validation in Kubernetes test infra soon, we could test against docker 1.13 then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think 17.03 is supported in Kubernetes 1.8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If so, it means that https://github.com/kubernetes/kubernetes/blob/master/test/e2e_node/system/types.go#L162 needs to be updated.
@yguo0905 told me that docker 1.13 is the newest version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I should have mentioned that they are the same minor release. Created kubernetes/kubernetes#52666 to add 17.03 support to the spec.
@feiskyer LGTM with one question. |
Part of #24: Add seccomp validation tests.